Jump to content



Photo

Search AD password lengths


  • Please log in to reply
4 replies to this topic

#1 DeltaXray

DeltaXray

    Neowinian

  • Joined: 08-February 14

Posted 04 September 2014 - 09:32

Hi,

We have a need to change the network password requirements from 8 to 10 character minimum.

 

Whilst we can just change the GPO and users will have to change their password, my concern is for service accounts.

 

Is it possible to search AD (possibly with Powershell?) in order to interrogate all user accounts in a given OU and provide a list of all accounts with a password 9 characters or shorter?

 

We have an encrypted password storage system but it is so awful it is not searchable to give us this information.

 

Alternatively, does password requirements only come into effect when a password is expired/has to be changed? If an account is set to have the password never expire would that not be affected by the change in requirements?

 

thanks




#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 September 2014 - 10:34

So do you not know what your service accounts are?  Why not just change to be in line with your new policy before you enforce the policy?

 

If you change the policy to say 10, and an accounts password was set before at 8 - nothing will happen until the password needs to be changed.  It would then need to meet policy - if it never expires it could stay 8 until doomsday.

 

There is no way to search that sort of attribute on the passwords without knowing what they are.  You could search if expired, when set sort of thing - but the length, unless you break them know you would not be able to know what length they are.



#3 Anibal P

Anibal P

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 11-June 02
  • Location: Waterbury CT
  • OS: Win 8.1
  • Phone: Android

Posted 06 September 2014 - 14:20

Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords

 

I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope 



#4 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 35
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 06 September 2014 - 14:54

Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords

 

I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope 

 

perhaps admodify could assist with that.

http://admodify.code...eases/view/6065



#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 September 2014 - 15:13

"force a password reset on next login"

 

That would be horrific thing to do for service accounts ;)  Could break all kinds of stuff that way.